A cybersecurity research team has found an unidentified open database containing 24GB of records detailing information on 80 million American households.
VPNMentor’s research team of Noam Rotem and Ran Locar found the database hosted on a Microsoft cloud server containing extremely detailed information about individual homes ranging from the owners name, address, age, map coordinates and birthdates. Other information included, but noted in a numerical code, is gender, marital status, income, homeowner status and dwelling type.
One vital piece of information that would enable Rotem and Locar to rectify the problem has not been uncovered.
“Unlike previous leaks we’ve discovered, this time, we have no idea who this database belongs to. It’s hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner,” they wrote.
However, there are a few clues. Each records contains a member ID indicating it could be from a service company, also there is a category for income level leading Rotem and Locar to think it could be from an insurance, healthcare or mortgage company. But to counter this line of thought there are no policy or account numbers, social security numbers, or payment types.
Having no luck on their own the two researchers have decided to crowdsource the problem by asking others to put on their detective hats and ponder the clues available.
“What service is used by 80 million homes across the US – but only the US – and only by people over 40? What service would collect your homeowner status and dwelling type but not your social security number? And what service records that you’re married but not how many children you have?” they asked.
Even though the records do not include truly damaging information such as Social Security numbers or payment card information, the data available could still prove dangerous if in the wrong hands.
- There are enough clues contained to divine an email address opening people up to phishing attacks.
- A name and address are enough to find out if a person lives in a wealthy area, and can lead to public social media accounts. With geotagging and people simply posting that they are away from home this info could be used to conduct burglaries.
- All the information together can be used to build a social engineering snapshot making a person vulnerable to a variety of exploits.
The database was discovered while the two were conducting a web-mapping project in which they use use port scanning to examine known IP blocks. This reveals open holes in web systems, which they can then examine for weaknesses and data leaks.